Re: password hashes in /etc/jabberd/*.xml?
From: John Schmitt nuon...@yahoo.com Where did you get the idea of hashes in config files? I got them from looking at the default configuration files in my distribution, Fedora 11. Oh. Fedora. Now I get it... Have you read http://jabberd2.xiaoka.com/wiki/InstallGuide ? Yes. I see mention of changing the password but no mention of how to generate the long string used in the default configuration. Please check how these files looked before Fedora changes: http://codex.xiaoka.com/svn/jabberd2/trunk/etc/ ex. http://codex.xiaoka.com/svn/jabberd2/trunk/etc/c2s.xml.dist.in !-- Username/password to authenticate as -- userjabberd/user !-- default: jabberd -- passsecret/pass !-- default: secret -- I hope it's clear now what you should do. :-) -- Tomasz Sterna Instant Messaging EDI Consultant Open Source Developer http://tomasz.sterna.tv/ http://www.xiaoka.com/ -- To unsubscribe send a mail to jabberd2+unsubscr...@lists.xiaoka.com
Re: password hashes in /etc/jabberd/*.xml?
From: John Schmitt nuon...@yahoo.com Could I just enter the plaintext password there? You enter the password, not the hash to the config file. Would that make my setup less secure? Why would that? -- Tomasz Sterna Instant Messaging EDI Consultant Open Source Developer http://tomasz.sterna.tv/ http://www.xiaoka.com/ -- To unsubscribe send a mail to jabberd2+unsubscr...@lists.xiaoka.com
Re: password hashes in /etc/jabberd/*.xml?
Hi Tomasz, thanks for replying. On Thu, Jul 30, 2009 at 11:11:49AM +0200, Tomasz Sterna wrote: From: John Schmitt nuon...@yahoo.com Could I just enter the plaintext password there? You enter the password, not the hash to the config file. How was that long string derived from secret generated? Why was it used rather than a plain text password? How can I generate my own? Would that make my setup less secure? Why would that? For the same reason that it's not a plain text password in every .xml file. I only vaguely understand security but I understand that you don't want to send a password in the clear over a network, but I don't understand why some .xml files store a hashed string and some simply store a plaintext password. -- Tomasz Sterna Instant Messaging EDI Consultant Open Source Developer http://tomasz.sterna.tv/ http://www.xiaoka.com/ -- To unsubscribe send a mail to jabberd2+unsubscr...@lists.xiaoka.com -- To unsubscribe send a mail to jabberd2+unsubscr...@lists.xiaoka.com
Re: password hashes in /etc/jabberd/*.xml?
From: John Schmitt nuon...@yahoo.com Could I just enter the plaintext password there? You enter the password, not the hash to the config file. How was that long string derived from secret generated? Why was it used rather than a plain text password? How can I generate my own? Where did you get the idea of hashes in config files? Have you read http://jabberd2.xiaoka.com/wiki/InstallGuide ? Would that make my setup less secure? Why would that? For the same reason that it's not a plain text password in every .xml file. I only vaguely understand security but I understand that you don't want to send a password in the clear over a network, but I don't understand why some .xml files store a hashed string and some simply store a plaintext password. Putting the password (a shared secret to be more precise) in the configuration file does not mean it will be send plaintext over the wire. The jabberd2 server has hashing and encryption implemented and is perfectly able to hash secrets and encrypt the stream by itself. :-) -- Tomasz Sterna Instant Messaging EDI Consultant Open Source Developer http://tomasz.sterna.tv/ http://www.xiaoka.com/ -- To unsubscribe send a mail to jabberd2+unsubscr...@lists.xiaoka.com
Re: password hashes in /etc/jabberd/*.xml?
On Thu, Jul 30, 2009 at 09:28:21PM +0200, Reinhard Max wrote: Hi, Thank you very much for your explanation. You've corrected several assumptions, one of which was that the password was statically set by the jabber developers. This explains a lot and allows me to proceed with my setup. John -- To unsubscribe send a mail to jabberd2+unsubscr...@lists.xiaoka.com